Manage certificates (FAST Search Server 2010 for SharePoint)

FAST Search Server 2010

Applies to: FAST Search Server 2010

Topic Last Modified: 2012-06-26

FAST Search Server 2010 for SharePoint uses several certificates for authentication and encryption purposes. The certificates are used both for communication between servers in a multiple server FAST Search Server 2010 for SharePoint farm, and between FAST Search Server 2010 for SharePoint and Microsoft SharePoint Server 2010.

Each server in a FAST Search Server 2010 for SharePoint farm potentially has three kinds of certificates which serve different functions and which must be configured (and replaced) separately:

General purpose certificate

A self-signed FAST Search certificate (for test environments) or a certificate signed by a certificate authority (for production environments). The self-signed certificate should be replaced with a farm-wide or server specific CA signed certificate that supports the existing certificate infrastructure of the organization. The general purpose certificate is used for internal communication, administration services and to enable secure content feeding from SharePoint Server to FAST Search Server 2010 for SharePoint.

Query HTTPS certificate

A server-specific certificate to encrypt query traffic that uses HTTPS. Only used on query servers that have HTTPS query traffic enabled.

Claims certificate

A claims certificate to enable item level security trimming on queries. Only used on query servers.

This article describes the steps needed to replace these certificates because of, for example, expiration or revocation.

We highly recommend that you replace the default self-signed general purpose certificate with a CA signed certificate when you move your deployment from test to production.

During initial installation, FAST Search Server 2010 for SharePoint generates a self-signed certificate. The self-signed certificate is only meant to be used in test environments. There are several limitations to this default self-signed certificate:

It expires after one year from the time of configuration.

It provides limited security because it cannot be revoked. This could allow an attacker to spoof identities or insert data into connections if the private key was compromised.

To help achieve a high level of security in a production environment, we recommend that you use certificates signed by a common certification authority (CA) for FAST Search Server 2010 for SharePoint.

Your organization may have an existing public key infrastructure (PKI) that can issue these certificates. If your organization does not have an existing PKI, you can acquire certificates from a third-party certificate issuing authority. Your organization may also have its own business processes and tools to issue and manage CA signed certificates. There are no specific properties that the certificate must have, but there are some requirements that must be met. Authorization is done by matching the thumbprint of the CA signed certificate across servers and by checking that the certificate issuer is trusted.

The CA signed certificate must be installed on each server in a multiple server FAST Search Server 2010 for SharePoint farm.

The following requirements apply to each certificate:

The subject name or subject alternative name (SAN) field must contain the fully qualified domain name (FQDN) of the server that the certificate is issued to. This is required to support queries over HTTPS and administration services over HTTPS.

The certificate that is issued to SharePoint Server 2010 must have the same issuer as the certificates that are issued to servers in the FAST Search Server 2010 for SharePoint farm.

The FAST Search Server 2010 for SharePoint user must have access to the private key of the certificate.

FAST Search Server 2010 for SharePoint includes a Windows PowerShell script that must be run on each server in the deployment to replace the default self-signed certificate. The script can perform two separate tasks:

Copy the script SecureFASTSearchConnector.ps1 from the FAST Search Server 2010 for SharePoint administration server to the SharePoint Server 2010 server that is running the FAST Search connector. The SecureFASTSearchConnector.ps1 script can be found in the installation folder, under \installer\scripts\.

On the SharePoint Server 2010 server that is running the FAST Search connector, follow these steps:

On the Start menu, click All Programs.

Click Microsoft SharePoint 2010 Products.

Right-click SharePoint 2010 Management Shell, and select Run as administrator.

Browse to the directory where you copied the SecureFASTSearchConnector.ps1 script and run it, replacing the necessary parameters with the values for your environment. The domain and user name should reflect the details of the user running the SharePoint Server Search 14 service (OSearch14):

If you know the thumbprint of your certificate, type the following command:

This command will return the thumbprint of the available certificates and a prompt asking whether you want to use the suggested certificate.

Enter y for yes, and then click Enter.

Multiple server deployments

If you have configured the FAST Search Content SSA to use more than one crawl component, you must install the same CA signed certificate on each SharePoint Server 2010 server that has a crawl component.

Make sure that the server has a certificate installed that is issued and signed by the same Certificate Authority as the certificate on the host server of the FAST Search Content SSA. The certificate must be installed under Certificates(Local Computer)\Personal in the certificate store. The root CA signed certificate must be installed under Certificates(Local Computer)\Trusted Root Certification Authorities.

Grant the Search Service Application account (the account under which the SharePoint Server Search 14 service (OSearch14) runs) access to the private key of the imported certificate.

If you have configured the FAST Search Content SSA to use more than one crawl component, you must import the new self-signed certificate to each SharePoint Server 2010 server that has a crawl component.

Import the new FASTSearchCert.pfx certificate in the certificate store under Certificates(Local Computer)\Personal.

Grant the Search Service Application account (the account under which the SharePoint Server Search 14 service (OSearch14) runs) access to the private key of the imported certificate.

In addition, if the new certificate was not signed by the same certification authority (CA) as the previous certificate, you must add the CA certificate to the SharePoint Server:

On SharePoint Server 2010:

Enable a trust relationship in SharePoint Server for the SSL certificate(s) that you created for each FAST Search Server 2010 for SharePoint query server. Do this by importing the public certificate of the signing authority of the SSL Certificate(s) into SharePoint Server 2010:

On the Start menu, click All Programs.

Click Microsoft SharePoint 2010 Products.

Right-click SharePoint 2010 Management Shell, and select Run as administrator.